This changes the way relro is detected by avoiding the use of the linker's help text and
instead relies on querying the compiler and linker for whether they support the specific
arguments.
+++ /dev/null
-found_variant = false
-
-ld_help_result = run_command(cxx, '-Wl,-help', check: false)
-if ld_help_result.returncode() != 0
- warning('Linker does not support help text output. ' +
- 'Read-only global offset table will be disabled')
-else
- ld_help = ld_help_result.stdout().strip()
- variants = ['relro', 'now']
- foreach variant: variants
- if ld_help.contains('-z ' + variant)
- found_variant = true
- add_project_link_arguments('-Wl,-z', '-Wl,' + variant, language: ['c', 'cpp'])
- endif
- endforeach
-endif
-
-hardening_features += [[found_variant, 'Read-only Global Offset Table']]
-summary('Read-only GOT', found_variant, bool_yn: true, section: 'Hardening')
opt_hardening = get_option('hardening')
-
if opt_hardening.enabled() or opt_hardening.auto()
hardening_features = []
subdir('stack-prot') # Stack Protector
subdir('stack-smashing-prot') # Stack-Smashing Protection
subdir('fortify-source') # Fortify Source
- subdir('global-offset-table') # Read-only Global Offset Table
+ subdir('relro') # RELRO
foreach feature: hardening_features
available = feature[0]
if opt_hardening.auto()
warning(name + ' is disabled or not supported')
else
- error('Failing because ' + name + ' is not supported but hardening was explicitly requested')
+ error('Failing because ' + name + ' is not supported but hardening was requested')
+ endif
+ endif
+ endforeach
+endif
+
+opt_full_hardening = get_option('hardening-full')
+if opt_full_hardening.enabled() or opt_full_hardening.auto()
+ full_hardening_features = []
+ subdir('relro-full') # Full RELRO
+
+ foreach feature: full_hardening_features
+ available = feature[0]
+ name = feature[1]
+
+ if not available
+ if opt_full_hardening.auto()
+ warning(name + ' is disabled or not supported')
+ else
+ error('Failing because ' + name + ' is not supported but full hardening was requested')
endif
endif
endforeach
--- /dev/null
+have_full_relro = true
+full_variants = [
+ '-Wl,-z,defs',
+ '-Wl,-z,ibt,-z,shstk',
+]
+
+foreach variant: full_variants
+ if cxx.has_link_argument(variant)
+ full_hardening_features += [[true, 'Full RELRO (' + variant + ')']]
+ add_project_link_arguments(variant, language: ['c', 'cpp'])
+ else
+ have_full_relro = false
+ endif
+endforeach
+
+summary('Full RELRO', have_full_relro, bool_yn: true, section: 'Hardening')
--- /dev/null
+have_relro = true
+variants = [
+ '-Wl,-z,relro',
+ '-Wl,-z,now',
+]
+
+foreach variant: variants
+ if cxx.has_link_argument(variant)
+ hardening_features += [[true, 'RELRO (' + variant + ')']]
+ add_project_link_arguments(variant, language: ['c', 'cpp'])
+ else
+ have_relro = false
+ endif
+endforeach
+
+summary('RELRO', have_relro, bool_yn: true, section: 'Hardening')
option('lua', type: 'combo', choices: ['auto', 'luajit', 'lua'], value: 'auto', description: 'Lua implementation to use')
option('hardening', type: 'feature', value: 'auto', description: 'Compiler security checks')
+option('hardening-full', type: 'feature', value: 'auto', description: 'Compiler security checks with a performance penalty')
option('fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
projects / thirdparty / pdns.git / commitdiff
